diff options
| author | Sumit Bose <sbose@redhat.com> | 2009-06-02 18:08:08 +0200 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2009-06-02 15:34:53 -0400 |
| commit | e7514def89cbbf52cc49fbc0f8ad6fe642304331 (patch) | |
| tree | 6b58e34b5efd89245e29bd9b4a470f7b562bc063 | |
| parent | 72a36ddec46744a6aa1443f62066c1d9e422b190 (diff) | |
| download | sssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.tar.gz sssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.tar.xz sssd-e7514def89cbbf52cc49fbc0f8ad6fe642304331.zip | |
added tls_reqcert option for native LDAP backend
In order to allow to access LDAP servers which do not provide SSL/TLS
encryption the option tls_reqcert is added to the native LDAP backend. It
accepts the same arguments as the corresponding OpenLDAP option documented in
ldap.conf(5) and should preform accordingly.
| -rw-r--r-- | server/providers/ldap/ldap_auth.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c index b21008954..476dbc730 100644 --- a/server/providers/ldap/ldap_auth.c +++ b/server/providers/ldap/ldap_auth.c @@ -786,6 +786,8 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, char *user_search_base; char *user_name_attribute; char *user_object_class; + char *tls_reqcert; + int ldap_opt_x_tls_require_cert; int network_timeout; int opt_timeout; int ret; @@ -850,6 +852,36 @@ int sssm_ldap_auth_init(struct be_ctx *bectx, if (ret != EOK) goto done; ctx->network_timeout = opt_timeout; + ret = confdb_get_string(bectx->cdb, ctx, bectx->conf_path, + "tls_reqcert", NULL, &tls_reqcert); + if (ret != EOK) goto done; + if (tls_reqcert != NULL ) { + if (strcasecmp(tls_reqcert, "never") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; + } else if (strcasecmp(tls_reqcert, "allow") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; + } else if (strcasecmp(tls_reqcert, "try") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; + } else if (strcasecmp(tls_reqcert, "demand") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; + } else if (strcasecmp(tls_reqcert, "hard") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; + } else { + DEBUG(1, ("Unknown value for tls_reqcert.\n")); + ret = EINVAL; + goto done; + } + /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, because + * the SSL/TLS context is initialized from this value. */ + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, + &ldap_opt_x_tls_require_cert); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(1, ("ldap_set_option failed: %s\n", ldap_err2string(ret))); + ret = EIO; + goto done; + } + } + *ops = &sdap_auth_ops; *pvt_data = ctx; ret = EOK; |